Square’s mobile payment system has been hacked. Twice.
Upstart mobile payment processing company Square has its sights set on shaking up the industry. Its iPhone-friendly card reader has been blessed with retail space in Apple stores, and it’s had no trouble securing funding for its efforts, either. Recently Square locked up more than $100 million in investment and scored a valuation of more than $1 billion.
But there have been a couple of bumps in the road for Square. A few months back, Verifone (one of its key competitors) revealed that it was able to skim credit card data using the Square reader. Verifone noted that Square’s reader didn’t bother to encrypt data it transmitted to the app itself, an oversight that Verifone said meant any reasonably skilled coder could whip up a skimming application to harvest swiped card details. Ultimately, the threat might not be anymore serious that letting someone hold your card long enough to jot down the information on a Post-It or snap pictures of its front and back.
Nevertheless, Square founder Jack Dorsey responded with news that the company would soon begin offering encrypted readers. Those have yet to come to market, however, and it’s a flaw that has now allowed Aperture Labs (yes, that’s really their name) researchers to capture card information and use it to produce fraudulent cloned cards. Aperture Labs didn’t stop there, however.
A second exploit discovered by its researchers doesn’t require physical possession of the card or the Square reader. With little more than a U.S. bank account and 100 lines of code, the team was able to siphon money from a Visa gift card. Unlike traditional skimming apps, Aperture Labs’ version takes the magnetic stripe data and converts it to a sound file — which can then be played back into the Square reader via a stereo cable. The ensuing beeps are enough to trick the device into processing a charge, and Aperture’s Adam Laurie says that the process requires virtually no skill and very minimal hardware.
Aperture Labs revealed the vulnerability to Square back in February, but the company felt that there were other more obvious ways of committing credit card fraud to worry about — and believed that the federal regulations and anti-fraud systems already in place in modern credit cards provide sufficient defense.
More at Cnet